When you publish a back-end ISA Server 2006 computer on a front-end ISA Server 2006 computer that faces the Internet, you cannot enable forms-based authentication on both computers

Article translations Article translations
Article ID: 943214 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You publish a Web site on a back-end Microsoft Internet Security and Acceleration (ISA) Server 2006 computer.
  • You publish the back-end ISA Server 2006 computer on a front-end ISA Server 2006 computer that faces the Internet.
  • You want to enable forms-based authentication on both ISA Server 2006 computers to authenticate Web traffic. For example, the front-end server uses RADIUS one-time password (OTP) together with forms-based authentication. The back-end ISA Server computer is joined to the corporate Active Directory directory service domain. This ISA Server computer uses Windows integrated authentication.
In this scenario, you cannot enable forms-based authentication on both ISA Server computers.

CAUSE

Currently, ISA Server 2006 is hardcoded to use the CookieAuth.dll string as an identifier to implement forms-based authentication. In this case, ISA Server 2006 uses the "cookieauth.dll" string in the URL of the Web requests. If both the front-end ISA Server computer and the back-end ISA Server computer use the same identifier, the front-end computer will process the authentication form that is intended for the back-end computer.

RESOLUTION

An update is available that lets you enable an alternative cookie authentication handler string for forms-based authentication. Therefore, the front-end computer can use the "cookieauth.dll" string in the URL of the Web requests. The back-end computer can use the "FBAHANDLER.DLL" string in the URL of the Web requests.

Changes on the back-end ISA Server computer

Follow these steps on the back-end computer that is running ISA Server 2006:
  1. Apply the hotfix package that is described in the following Microsoft Knowledge Base article:
    943215 Description of the ISA Server 2006 hotfix package: October 7, 2007
  2. Start Notepad.
  3. Copy and then paste the following text into Notepad.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "UseAltExtensionRequestIdentifier"
    Const SE_VPS_VALUE = true
    
    Sub SetValue()
    
        ' Create the root object.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        Err.Clear
        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError
    
            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
            End If
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
    
    Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
  4. Save the file as a Microsoft Visual Basic script file by using the .vbs file name extension. For example, use the following name to save the file:
    UseAltExtensionRequestIdentifier.vbs
  5. Open a command prompt, move to the location in which you saved the UseAltExtensionRequestIdentifier.vbs file, and then type the following command:
    cscript UseAltExtensionRequestIdentifier.vbs

Changes on the front-end ISA Server computer

On the front-end computer, create a link translation mapping in the Web publishing rule to translate "/cookieauth.dll" to "/FBAHANDLER.DLL." To do this, follow these steps:
  1. Open the ISA Server Management console.
  2. In the console tree, expand Microsoft Internet Security and Acceleration Server 2006.
  3. If you are running ISA Server 2006 Enterprise Edition, expand Arrays, and then expand the node that corresponds to the array. If you are running ISA Server 2006 Standard Edition, expand the node that corresponds to the front-end computer.
  4. Click Firewall Policy.
  5. Right-click the Web publishing rule, and then click Properties.
  6. On the Link Translation tab, make sure that the Apply link translation to this rule check box is selected, and then click Configure.
  7. In the Locally Defined Mappings dialog box, click Add.
  8. In the Replace this text box, type /cookieauth.dll.
  9. In the With this text box, type /FBAHANDLER.DLL.
  10. Click OK three times.
  11. Click Apply.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Properties

Article ID: 943214 - Last Review: November 13, 2007 - Revision: 2.3
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
Keywords: 
kbqfe kbexpertiseinter KB943214

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com